add internal IPA support and revproxy

This commit is contained in:
Louis Abel 2023-07-25 02:23:31 -07:00
parent ed1aafc13f
commit 9bdc4d66a6
Signed by: label
GPG Key ID: 2A6975660E424560
7 changed files with 70 additions and 0 deletions

View File

@ -34,6 +34,7 @@ gerrit_sshd_threads: "32"
# Gerrit httpd # Gerrit httpd
gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/" gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/"
gerrit_httpd_proxy_url: "http://127.0.0.1:8080/"
gerrit_referenced_objects_reachable: false gerrit_referenced_objects_reachable: false
# Gerrit setup # Gerrit setup
@ -54,4 +55,7 @@ oauth_client_secret: "NONE"
# ldap if enabled # ldap if enabled
ldap_url_list: ldap_url_list:
- ldap://ipa-us-east-2.rockylinux.org - ldap://ipa-us-east-2.rockylinux.org
# Use freeipa CA
tls_use_internal_freeipa: true
... ...

View File

@ -5,6 +5,7 @@
become: true become: true
vars_files: vars_files:
- vars/gerrit.yml - vars/gerrit.yml
- vars/internal.yml
handlers: handlers:
- import_tasks: handlers/main.yml - import_tasks: handlers/main.yml
@ -43,6 +44,11 @@
fail_msg: "Please set a proper database password." fail_msg: "Please set a proper database password."
when: not gerrit_allow_insecure_passwords|bool when: not gerrit_allow_insecure_passwords|bool
roles:
- role: rockylinux.ipagetcert
state: present
when: tls_use_internal_freeipa|bool
tasks: tasks:
- name: Deploy gerrit as needed - name: Deploy gerrit as needed
ansible.builtin.import_tasks: tasks/install.yml ansible.builtin.import_tasks: tasks/install.yml

7
roles/requirements.yml Normal file
View File

@ -0,0 +1,7 @@
---
# Roles
roles:
- name: rockylinux.ipagetcert
src: https://github.com/rocky-linux/ansible-role-ipa-getcert
version: main
...

View File

@ -2,6 +2,9 @@
- name: Setup gerrit basics - name: Setup gerrit basics
ansible.builtin.include_tasks: setup.yml ansible.builtin.include_tasks: setup.yml
- name: Install and configure packages
ansible.builtin.include_tasks: pkg.yml
- name: Install gerrit - name: Install gerrit
ansible.builtin.include_tasks: deploy.yml ansible.builtin.include_tasks: deploy.yml
... ...

21
tasks/pkg.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Install packages as needed
ansible.builtin.package:
name: "{{ installed_packages }}"
state: present
- name: Deploy reverse proxy
ansible.builtin.template:
src: "gerrit.httpd.j2"
dest: "/etc/httpd/conf.d/gerrit.conf"
owner: root
group: root
mode: "0644"
notify: restart_httpd
- name: Ensure httpd is enabled and running
ansible.builtin.systemd:
name: httpd.service
state: running
enabled: true
...

19
templates/gerrit.httpd.j2 Normal file
View File

@ -0,0 +1,19 @@
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/{{ ansible_fqdn }}.crt
SSLCertificateKeyFile /etc/pki/tls/private/{{ ansible_fqdn }}.key
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
#Order deny,allow
#Allow from all
# Use following line instead of the previous two on Apache >= 2.4
Require all granted
</Proxy>
AllowEncodedSlashes On
ProxyPass / {{ gerrit_httpd_proxy_url }} nocanon
#ProxyPassReverse / {{ gerrit_httpd_proxy_url }} nocanon
</VirtualHost>

10
vars/internal.yml Normal file
View File

@ -0,0 +1,10 @@
---
ipa_getcert_requested_hostnames:
- name: "{{ ansible_fqdn }}"
owner: apache
key_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
cert_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
postcmd: "/bin/systemctl reload httpd"
cnames:
- "git.rockylinux.org"
...